@@ -624,6 +624,82 @@ def role_not_present(self, ldap_server, ldap_user):
624624 with And ("the user not to have any mapped LDAP role" ):
625625 assert r .output == "" , error ()
626626
627+ @TestScenario
628+ @Requirements (
629+ RQ_SRS_014_LDAP_RoleMapping_RBAC_Role_NotPresent ("1.0" )
630+ )
631+ def add_new_role_not_present (self , ldap_server , ldap_user ):
632+ """Check that LDAP user can still authenticate when the LDAP
633+ user is added to a new LDAP group that does not match any existing
634+ RBAC roles while having other role being already mapped.
635+ """
636+ uid = getuid ()
637+ role_name = f"role_{ uid }
638+
639+ role_mappings = [
640+ {
641+ "base_dn" : "ou=groups,dc=company,dc=com" ,
642+ "attribute" : "cn" ,
643+ "search_filter" : "(&(objectClass=groupOfUniqueNames)(uniquemember={bind_dn}))" ,
644+ "prefix" : "clickhouse_"
645+ }
646+ ]
647+
648+ with Given ("I add LDAP group" ):
649+ groups = add_ldap_groups (groups = ({"cn" : "clickhouse_" + role_name },))
650+
651+ with And ("I add LDAP user to the group" ):
652+ add_user_to_group_in_ldap (user = ldap_user , group = groups [0 ])
653+
654+ with And ("I add matching RBAC role" ):
655+ roles = add_rbac_roles (roles = (f"{ role_name } ,))
656+
657+ with And ("I add LDAP external user directory configuration" ):
658+ add_ldap_external_user_directory (server = ldap_server ,
659+ role_mappings = role_mappings , restart = True )
660+
661+ with When (f"I login as an LDAP user" ):
662+ r = self .context .node .query (f"SHOW GRANTS" , settings = [
663+ ("user" , ldap_user ["username" ]), ("password" , ldap_user ["password" ])], no_checks = True )
664+
665+ with Then ("I expect the login to succeed" ):
666+ assert r .exitcode == 0 , error ()
667+
668+ with And ("the user should have the mapped LDAP role" ):
669+ assert f"{ role_name } in r .output , error ()
670+
671+ with When ("I add LDAP group that maps to unknown role" ):
672+ unknown_groups = add_ldap_groups (groups = ({"cn" : "clickhouse_" + role_name + "_unknown" },))
673+
674+ with And ("I add LDAP user to the group that maps to unknown role" ):
675+ add_user_to_group_in_ldap (user = ldap_user , group = unknown_groups [0 ])
676+
677+ with And (f"I again login as an LDAP user" ):
678+ r = self .context .node .query (f"SHOW GRANTS" , settings = [
679+ ("user" , ldap_user ["username" ]), ("password" , ldap_user ["password" ])], no_checks = True )
680+
681+ with Then ("I expect the login to succeed" ):
682+ assert r .exitcode == 0 , error ()
683+
684+ with And ("the user should still have the present mapped LDAP role" ):
685+ assert f"{ role_name } in r .output , error ()
686+
687+ with When ("I add matching previously unknown RBAC role" ):
688+ unknown_roles = add_rbac_roles (roles = (f"{ role_name } ,))
689+
690+ with And (f"I again login as an LDAP user after previously unknown RBAC role has been added" ):
691+ r = self .context .node .query (f"SHOW GRANTS" , settings = [
692+ ("user" , ldap_user ["username" ]), ("password" , ldap_user ["password" ])], no_checks = True )
693+
694+ with Then ("I expect the login to succeed" ):
695+ assert r .exitcode == 0 , error ()
696+
697+ with And ("the user should still have the first mapped LDAP role" ):
698+ assert f"{ role_name } in r .output , error ()
699+
700+ with And ("the user should have the previously unknown mapped LDAP role" ):
701+ assert f"{ role_name } in r .output , error ()
702+
627703@TestScenario
628704@Requirements (
629705 RQ_SRS_014_LDAP_RoleMapping_RBAC_Role_Removed ("1.0" ),
0 commit comments